Out of fairness want to note that the most significant component of the
problems with the OpenLDAP packages for Debian (and Ubuntu, to a
somewhat lesser degree) is that the packaging team has basically no
resources.

Interesting about the Debian situation. Another reminder to me of why I
don't use Debian; the project's concerns about absolute "freedom" don't
mesh with my concerns about getting real work done.

Well, I certainly won't debate that here, but just to be clear, nothing
that I said has anything whatsoever to do with Debian's definition of
freedom or free software. Debian doesn't object to OpenSSL for any
grounds related to free software definitions or licensing. Everyone
agrees that the licenses of all software involved qualify as free
software.
Debian doesn't distribute GPL'd software linked (via OpenLDAP) to OpenSSL
because we believe doing so would be *illegal*. Not non-free, not falling
astray of some Debian licensing principle, but an actual legal violation
of the OpenSSL and GPL licenses for which we could be sued.
If you build the software yourself against OpenSSL but don't distribute
it, the relevant clause of the GPL doesn't apply and there is no issue.

Getting far into digression here, but this is another reason to switch to the
nssov / nss-pam-ldapd model. Remove libldap from PAM/NSS and a lot of these
linking issues disappear.